From 93fdab7dc56a80c59d8ff5e69f9f339af41e9fbb Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Thu, 3 Mar 2022 12:03:42 +0000 Subject: [PATCH] Bug 25936: Add option to send password change notices This patch add a new security notice to allow sending notification of password changes to patrons. If enabled, the 'PASSCHANGE' notice will be sent to respective patrons whenever their password is updated. Test plan 1) Run the database updates 2) Enable the new feature by setting 'NotifyPasswordChange' to 'Notify' 3) Change a users password 4) Check that the notice appears in the patrons notices Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi --- Koha/Patron.pm | 36 ++++++++++++++++++- .../data/mysql/atomicupdate/bug_25936.pl | 27 ++++++++++++++ .../mysql/en/mandatory/sample_notices.yml | 15 ++++++++ installer/data/mysql/mandatory/sysprefs.sql | 1 + .../en/modules/admin/preferences/patrons.pref | 6 ++++ 5 files changed, 84 insertions(+), 1 deletion(-) create mode 100755 installer/data/mysql/atomicupdate/bug_25936.pl diff --git a/Koha/Patron.pm b/Koha/Patron.pm index 8d2cf1fe44..96a72a393a 100644 --- a/Koha/Patron.pm +++ b/Koha/Patron.pm @@ -26,10 +26,11 @@ use Unicode::Normalize qw( NFKD ); use Try::Tiny; use C4::Context; +use C4::Auth qw( checkpw_hash ); use C4::Log qw( logaction ); use Koha::Account; use Koha::ArticleRequests; -use C4::Letters; +use C4::Letters qw( GetPreparedLetter EnqueueLetter SendQueuedMessages ); use Koha::AuthUtils; use Koha::Checkouts; use Koha::CirculationRules; @@ -889,6 +890,39 @@ sub set_password { } } + if ( C4::Context->preference('NotifyPasswordChange') ) { + my $self_from_storage = $self->get_from_storage; + if ( !C4::Auth::checkpw_hash( $password, $self_from_storage->password ) ) { + my $emailaddr = $self_from_storage->notice_email_address; + + # if we manage to find a valid email address, send notice + if ($emailaddr) { + my $letter = C4::Letters::GetPreparedLetter( + module => 'members', + letter_code => 'PASSWORD_CHANGE', + branchcode => $self_from_storage->branchcode, + , + lang => $self_from_storage->lang || 'default', + tables => { + 'branches' => $self_from_storage->branchcode, + 'borrowers' => $self_from_storage->borrowernumber, + }, + want_librarian => 1, + ) or return; + + my $message_id = C4::Letters::EnqueueLetter( + { + letter => $letter, + borrowernumber => $self_from_storage->id, + to_address => $emailaddr, + message_transport_type => 'email' + } + ); + C4::Letters::SendQueuedMessages( { message_id => $message_id } ); + } + } + } + my $digest = Koha::AuthUtils::hash_password($password); $self->password_expiration_date( $self->category->get_password_expiry_date || undef ); diff --git a/installer/data/mysql/atomicupdate/bug_25936.pl b/installer/data/mysql/atomicupdate/bug_25936.pl new file mode 100755 index 0000000000..ded356bc6b --- /dev/null +++ b/installer/data/mysql/atomicupdate/bug_25936.pl @@ -0,0 +1,27 @@ +use Modern::Perl; + +return { + bug_number => "25936", + description => "A password change notification feature", + up => sub { + my ($args) = @_; + my ($dbh, $out) = @$args{qw(dbh out)}; + + # Add PASSCHANGE notice + $dbh->do( q{ + INSERT IGNORE INTO letter (module, code, name, title, content, message_transport_type) VALUES ('members', 'PASSCHANGE', 'Notification of password change', 'Library account password change notification', + "Dear [% borrower.firstname %] [% borrower.surname %], + + Someone has changed your library user account password. + + If this is unexpected, please contact the library. + ", 'email'); + }); + + # Add systempreference + $dbh->do(q{ + INSERT IGNORE INTO systempreferences (variable,value,explanation,options,type) + VALUES ('NotifyPasswordChange','0','','Notify patrons whenever their password is changed.','YesNo') + }); + }, +}; diff --git a/installer/data/mysql/en/mandatory/sample_notices.yml b/installer/data/mysql/en/mandatory/sample_notices.yml index 8b8cf3aee1..e58b67891c 100644 --- a/installer/data/mysql/en/mandatory/sample_notices.yml +++ b/installer/data/mysql/en/mandatory/sample_notices.yml @@ -1076,6 +1076,21 @@ tables: - "" - "If you did not initiate this request, you may safely ignore this one-time message. The request will expire shortly." + - module: members + code: PASSCHANGE + branchcode: "" + name: "Notification of password change" + is_html: 1 + title: "Library account password change notification for [% patron.firstname %] [% patron.surname %]" + message_transport_type: email + lang: default + content: + - "Dear [% patron.firstname %] [% patron.surname %]," + - "" + - "Someone has changed your library user account password." + - "" + - "If this is unexpected, please contact the library" + - module: members code: PASSWORD_RESET branchcode: "" diff --git a/installer/data/mysql/mandatory/sysprefs.sql b/installer/data/mysql/mandatory/sysprefs.sql index 15f7073ff6..6390c4433f 100644 --- a/installer/data/mysql/mandatory/sysprefs.sql +++ b/installer/data/mysql/mandatory/sysprefs.sql @@ -387,6 +387,7 @@ INSERT INTO systempreferences ( `variable`, `value`, `options`, `explanation`, ` ('NoticeCSS','',NULL,'Notices CSS url.','free'), ('NoticesLog','0',NULL,'If enabled, log changes to notice templates','YesNo'), ('NotifyBorrowerDeparture','30',NULL,'Define number of days before expiry where circulation is warned about patron account expiry','Integer'), +('NotifyPasswordChange','0',NULL,'Notify patrons whenever their password is changed.','YesNo'), ('NovelistSelectEnabled','0',NULL,'Enable Novelist Select content. Requires Novelist Profile and Password','YesNo'), ('NovelistSelectPassword','',NULL,'Novelist select user Password','free'), ('NovelistSelectProfile','',NULL,'Novelist Select user Profile','free'), diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref index 15d3ccb74b..0edf57f6d9 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref @@ -160,6 +160,12 @@ Patrons: 0: "Don't send" - an email to newly created patrons. - '
NOTE: This uses the WELCOME notice.' + - + - pref: NotifyPasswordChange + choices: + 1: Notify + 0: "Don't notify" + - patrons whenever their password is changed. - - pref: UseEmailReceipts choices: -- 2.39.5